Cyber Resilience

CVE-2025-1643

MediumPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 27.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1643 is a medium-severity CSRF (CWE-352) vulnerability in Modernasistemas Modernanet. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-1643 is a cross-site request forgery (CSRF) vulnerability, rated as problematic, in Benner ModernaNet versions up to 1.1.0. The issue affects the processing of the /DadosPessoais/SG_AlterarSenha endpoint, associated with CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating network accessibility with low complexity but requiring user interaction.

Remote attackers without privileges can exploit this vulnerability by tricking authenticated users into performing unintended actions via forged requests to the vulnerable endpoint. Successful exploitation results in low-impact integrity violations, such as unauthorized modifications, with no confidentiality or availability effects.

Advisories recommend upgrading to Benner ModernaNet version 1.1.1 to address the issue. Relevant references include VulDB entries at https://vuldb.com/?ctiid.296693, https://vuldb.com/?id.296693, and https://vuldb.com/?submit.500574, as well as a CVE tracking repository at https://github.com/yago3008/cves.

EU & UK References

Vulnerability details

A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been rated as problematic. This issue affects some unknown processing of the file /DadosPessoais/SG_AlterarSenha. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading…

more

to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CSRF vulnerability in public-facing web application password change endpoint (SG_AlterarSenha) enables exploitation of public-facing application (T1190) and unauthorized account manipulation via forced password change leading to account takeover (T1098).

CVEs Like This One

CVE-2025-1642Same product: Modernasistemas Modernanet
CVE-2025-1640Same product: Modernasistemas Modernanet
CVE-2025-1641Same product: Modernasistemas Modernanet
CVE-2026-1169Shared CWE-352, CWE-862
CVE-2025-1687Shared CWE-352
CVE-2026-24885Shared CWE-352
CVE-2025-1891Shared CWE-352, CWE-862
CVE-2024-55076Shared CWE-352
CVE-2026-40581Shared CWE-352, CWE-862
CVE-2020-37158Shared CWE-352

Affected Assets

modernasistemas
modernanet
≤ 1.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect communications session authenticity, such as anti-CSRF tokens, directly preventing forged requests in this CSRF vulnerability.

prevent

SI-10 mandates information input validation, including verification of CSRF tokens or request origins to block unauthorized forged requests to the vulnerable endpoint.

prevent

AC-3 enforces approved authorizations for access, addressing the missing authorization (CWE-862) aspect that allows CSRF-induced unauthorized modifications.

References